Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Legal Implications of the AMCA Data BreachAttorney Paul Hales Explains Why Collection Agency's Clients Will Be Targeted
The relationship between American Medical Collection Agency and its clients affected by the company's data breach will be closely examined as breach-related lawsuits progress, says attorney Paul Hales, a HIPAA specialist. That's because plaintiffs will attempt to win settlements from AMCA's deep-pocket laboratory company clients, he says.
AMCA's parent company - Retrieval-Masters Credit Bureau - filed a petition for bankruptcy protection in a New York federal court in June just weeks after the public disclosure of the data breach, which affected the protected health information of more than 20 million individuals. Those victims included millions of patients of AMCA's largest clients, including medical testing laboratories Quest Diagnostics and LabCorp.
In its bankruptcy court filing, AMCA says it faced "a cascade of events that ultimately has resulted in the [company's] need to seek relief under Chapter 11." That includes Quest Diagnostics, LabCorp and other clients ending their business relationships with AMCA in the aftermath of the breach.
But those factors, and AMCA's bankruptcy filing, will not necessarily get Quest Diagnostics, LabCorp and other AMCA clients off the hook in the many class action lawsuits filed against AMCA and the labs in the aftermath of the breach, says Hales, who is not involved in the case.
Key Legal Issue
"A key legal issue is whether AMCA acted as an 'agent' under federal common law. ... That's incorporated in the HIPAA enforcement [regulations]," Hales explains in an interview with Information Security Media Group.
To determine whether a business associate acted as an "agent" of a HIPAA covered entity, federal regulators look at "the level of control over a business associate that a covered entity is able to have, as established under a contract, such as a business associate agreement, and whether that control is used or not," he says.
"Lawyers like to use boilerplate language that gives maximum control to their clients. And that's usually good, except in a HIPAA situation it can have a very bad outcome" if there is a data breach involving a business associate, he says.
AMCA is a HIPAA business associate, and court filings suggest it may have committed HIPAA violations, such as failure to conduct a risk analysis, review system activity and detect malicious software, Hales says. Although patients cannot sue based solely on HIPAA violations, failure to comply with HIPAA can be used as a standard in other types of lawsuits alleging negligence caused harm, he contends.
Attorneys representing individuals impacted by the AMCA breach will look at the level of control Quest Diagnostics, LabCorp and other clients had over AMCA's data security and other practices that potentially established the collection agency as an "agent," Hales says.
Plaintiffs' attorneys will want to go after the labs served by AMCA because of their financial resources, the attorney says. "AMCA is really the small fish. The deep pockets are with the laboratory companies and their parents."
In this in-depth interview (see audio link below photo), Hales also discusses:
- What to expect next in the many class action lawsuit petitions that have been filed in federal courts across the country against AMCA and its large medical testing laboratory clients;
- Why AMCA's compliance with federal regulations other than HIPAA also potentially will be a key issue;
- The growing risks of medical identity theft and fraud following a health data breach.
Hales is a private practice health information security and privacy attorney. He's also an attorney and principal health information consultant with ET&C Group LLC, an international HIPAA compliance consulting practice based in St. Louis.